0

I am using strongswan as a vpn server for road warriors. I have two machines running the software, one on raspbian and one on CentOS 7. The raspbian machine works fine but not the CentOS one.

The problem with the CentOS one seems to be that packets are not tunneled.

Here is an output from tshark.

  88 6.655929830  67.22.27.75 → 10.202.121.120 ESP 146 ESP (SPI=0xc542d5c5)
   89 6.655929830  192.168.3.1 → 8.8.4.4      DNS 71 Standard query 0x26a6 A dealsea.com

67.22.27.75 is the ip of the road warrior and 192.168.3.1 is the virtual ip assigned by strongswan.

On the working instance of raspbian, the tshark output looks like:

45 3.318470851 104.38.166.37 → 10.111.58.102 ESP 146 ESP (SPI=0xc7ca8886)
   46 3.318470851 10.202.122.1 → 8.8.4.4      DNS 67 Standard query 0x10af A psu.edu
   47 3.318656688 10.111.58.102 → 8.8.4.4      DNS 67 Standard query 0x10af A psu.edu

Here 104.38.166.37 is the ip of the road warroir, 10.202.122.1 is the virtual ip, and 10.111.58.102 is the ip of the strongswan server in its local network.

The two machines use the same configure files:

ipsec.conf

config setup
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"
    uniqueids=no
conn ikev2-vpn
     auto=add
     compress=no
     type=tunnel
     keyexchange=ikev2
     fragmentation=yes
     forceencaps=yes
     ike=aes256-sha256-modp2048!
     esp=aes256-sha256!
     dpdaction=clear
     dpddelay=300s
     rekey=no
     left=%any
     leftid=@MYHOSTNAME
     leftcert=/etc/strongswan/ipsec.d/certs/vpn-server-cert.pem
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     right=%any
     rightid=%any
     rightauth=eap-mschapv2
     rightsourceip=10.202.122.1/24
     rightdns=8.8.8.8,8.8.4.4
     rightsendcert=never
     eap_identity=%identity

strongswan.conf

charon {
    load_modular = yes
    plugins {
        include strongswan.d/charon/*.conf
    }
}

include strongswan.d/*.conf

iptables-save output on server:

# Generated by iptables-save v1.4.21 on Fri Oct  6 09:09:50 2017
*nat
:PREROUTING ACCEPT [6817:1235375]
:INPUT ACCEPT [18:2342]
:OUTPUT ACCEPT [37384:3449660]
:POSTROUTING ACCEPT [1:42]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_drop - [0:0]
:POST_drop_allow - [0:0]
:POST_drop_deny - [0:0]
:POST_drop_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_drop - [0:0]
:PRE_drop_allow - [0:0]
:PRE_drop_deny - [0:0]
:PRE_drop_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o enp0s25 -j POST_drop
-A POSTROUTING_ZONES -j POST_drop
-A POST_drop -j POST_drop_log
-A POST_drop -j POST_drop_deny
-A POST_drop -j POST_drop_allow
-A POST_drop_allow ! -o lo -j MASQUERADE
-A PREROUTING_ZONES -i enp0s25 -j PRE_drop
-A PREROUTING_ZONES -j PRE_drop
-A PRE_drop -j PRE_drop_log
-A PRE_drop -j PRE_drop_deny
-A PRE_drop -j PRE_drop_allow
COMMIT
# Completed on Fri Oct  6 09:09:50 2017
# Generated by iptables-save v1.4.21 on Fri Oct  6 09:09:50 2017
*mangle
:PREROUTING ACCEPT [119158:81622108]
:INPUT ACCEPT [119106:81612125]
:FORWARD ACCEPT [51:9630]
:OUTPUT ACCEPT [182387:35412441]
:POSTROUTING ACCEPT [188177:36690351]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_drop - [0:0]
:PRE_drop_allow - [0:0]
:PRE_drop_deny - [0:0]
:PRE_drop_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i enp0s25 -j PRE_drop
-A PREROUTING_ZONES -j PRE_drop
-A PRE_drop -j PRE_drop_log
-A PRE_drop -j PRE_drop_deny
-A PRE_drop -j PRE_drop_allow
COMMIT
# Completed on Fri Oct  6 09:09:50 2017
# Generated by iptables-save v1.4.21 on Fri Oct  6 09:09:50 2017
*security
:INPUT ACCEPT [106545:79110205]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [182387:35412441]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Fri Oct  6 09:09:50 2017
# Generated by iptables-save v1.4.21 on Fri Oct  6 09:09:50 2017
*raw
:PREROUTING ACCEPT [119158:81622108]
:OUTPUT ACCEPT [182387:35412441]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_drop - [0:0]
:PRE_drop_allow - [0:0]
:PRE_drop_deny - [0:0]
:PRE_drop_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i enp0s25 -j PRE_drop
-A PREROUTING_ZONES -j PRE_drop
-A PRE_drop -j PRE_drop_log
-A PRE_drop -j PRE_drop_deny
-A PRE_drop -j PRE_drop_allow
COMMIT
# Completed on Fri Oct  6 09:09:50 2017
# Generated by iptables-save v1.4.21 on Fri Oct  6 09:09:50 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [182387:35412441]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_drop - [0:0]
:FWDI_drop_allow - [0:0]
:FWDI_drop_deny - [0:0]
:FWDI_drop_log - [0:0]
:FWDO_drop - [0:0]
:FWDO_drop_allow - [0:0]
:FWDO_drop_deny - [0:0]
:FWDO_drop_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_drop - [0:0]
:IN_drop_allow - [0:0]
:IN_drop_deny - [0:0]
:IN_drop_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i enp0s25 -j FWDI_drop
-A FORWARD_IN_ZONES -j FWDI_drop
-A FORWARD_OUT_ZONES -o enp0s25 -j FWDO_drop
-A FORWARD_OUT_ZONES -j FWDO_drop
-A FWDI_drop -j FWDI_drop_log
-A FWDI_drop -j FWDI_drop_deny
-A FWDI_drop -j FWDI_drop_allow
-A FWDI_drop -j DROP
-A FWDO_drop -j FWDO_drop_log
-A FWDO_drop -j FWDO_drop_deny
-A FWDO_drop -j FWDO_drop_allow
-A FWDO_drop -j DROP
-A FWDO_drop_allow -m conntrack --ctstate NEW -j ACCEPT
-A INPUT_ZONES -i enp0s25 -j IN_drop
-A INPUT_ZONES -j IN_drop
-A IN_drop -j IN_drop_log
-A IN_drop -j IN_drop_deny
-A IN_drop -j IN_drop_allow
-A IN_drop -j DROP
-A IN_drop_allow -p esp -m conntrack --ctstate NEW -j ACCEPT
-A IN_drop_allow -p ah -m conntrack --ctstate NEW -j ACCEPT
-A IN_drop_allow -p udp -m udp --dport 500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_drop_allow -p udp -m udp --dport 4500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_drop_allow -p udp -m udp --dport 500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_drop_allow -p udp -m udp --dport 4500 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Fri Oct  6 09:09:50 2017

iptable-save output on client

# Generated by iptables-save v1.4.21 on Fri Oct  6 09:15:58 2017
*nat
:PREROUTING ACCEPT [5730:255228]
:INPUT ACCEPT [166:9920]
:OUTPUT ACCEPT [134648:14023445]
:POSTROUTING ACCEPT [134648:14023445]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_drop - [0:0]
:POST_drop_allow - [0:0]
:POST_drop_deny - [0:0]
:POST_drop_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_drop - [0:0]
:PRE_drop_allow - [0:0]
:PRE_drop_deny - [0:0]
:PRE_drop_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o wlp3s0 -j POST_drop
-A POSTROUTING_ZONES -j POST_drop
-A POST_drop -j POST_drop_log
-A POST_drop -j POST_drop_deny
-A POST_drop -j POST_drop_allow
-A PREROUTING_ZONES -i wlp3s0 -j PRE_drop
-A PREROUTING_ZONES -j PRE_drop
-A PRE_drop -j PRE_drop_log
-A PRE_drop -j PRE_drop_deny
-A PRE_drop -j PRE_drop_allow
COMMIT
# Completed on Fri Oct  6 09:15:58 2017
# Generated by iptables-save v1.4.21 on Fri Oct  6 09:15:58 2017
*mangle
:PREROUTING ACCEPT [4053472:653310426]
:INPUT ACCEPT [4050417:653148889]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3972204:10494033871]
:POSTROUTING ACCEPT [3992350:10498514887]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_drop - [0:0]
:PRE_drop_allow - [0:0]
:PRE_drop_deny - [0:0]
:PRE_drop_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i wlp3s0 -j PRE_drop
-A PREROUTING_ZONES -j PRE_drop
-A PRE_drop -j PRE_drop_log
-A PRE_drop -j PRE_drop_deny
-A PRE_drop -j PRE_drop_allow
COMMIT
# Completed on Fri Oct  6 09:15:58 2017
# Generated by iptables-save v1.4.21 on Fri Oct  6 09:15:58 2017
*security
:INPUT ACCEPT [4027162:648560078]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3972204:10494033871]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Fri Oct  6 09:15:58 2017
# Generated by iptables-save v1.4.21 on Fri Oct  6 09:15:58 2017
*raw
:PREROUTING ACCEPT [4053472:653310426]
:OUTPUT ACCEPT [3972204:10494033871]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_drop - [0:0]
:PRE_drop_allow - [0:0]
:PRE_drop_deny - [0:0]
:PRE_drop_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i wlp3s0 -j PRE_drop
-A PREROUTING_ZONES -j PRE_drop
-A PRE_drop -j PRE_drop_log
-A PRE_drop -j PRE_drop_deny
-A PRE_drop -j PRE_drop_allow
COMMIT
# Completed on Fri Oct  6 09:15:58 2017
# Generated by iptables-save v1.4.21 on Fri Oct  6 09:15:58 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3972204:10494033871]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_drop - [0:0]
:FWDI_drop_allow - [0:0]
:FWDI_drop_deny - [0:0]
:FWDI_drop_log - [0:0]
:FWDO_drop - [0:0]
:FWDO_drop_allow - [0:0]
:FWDO_drop_deny - [0:0]
:FWDO_drop_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_drop - [0:0]
:IN_drop_allow - [0:0]
:IN_drop_deny - [0:0]
:IN_drop_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i wlp3s0 -j FWDI_drop
-A FORWARD_IN_ZONES -j FWDI_drop
-A FORWARD_OUT_ZONES -o wlp3s0 -j FWDO_drop
-A FORWARD_OUT_ZONES -j FWDO_drop
-A FWDI_drop -j FWDI_drop_log
-A FWDI_drop -j FWDI_drop_deny
-A FWDI_drop -j FWDI_drop_allow
-A FWDI_drop -j DROP
-A FWDO_drop -j FWDO_drop_log
-A FWDO_drop -j FWDO_drop_deny
-A FWDO_drop -j FWDO_drop_allow
-A FWDO_drop -j DROP
-A INPUT_ZONES -i wlp3s0 -j IN_drop
-A INPUT_ZONES -j IN_drop
-A IN_drop -j IN_drop_log
-A IN_drop -j IN_drop_deny
-A IN_drop -j IN_drop_allow
-A IN_drop -j DROP
COMMIT
# Completed on Fri Oct  6 09:15:58 2017

How can I make the CentOS instance work?

Qijun Tan
  • 101
  • 2
  • How does the output of `iptables-save` look like on the server? It would seem the NAT rule is only applied to the traffic from one of the hosts (or rather one of the virtual IP subnets). – ecdsa Oct 06 '17 at 07:19
  • @ecdsa It's too long. I have added it to the question. – Qijun Tan Oct 06 '17 at 13:28
  • You want to avoid NATing traffic intended for IPsec tunnels. See [this wiki entry](https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling#Hosts-on-the-Internet) for details. – ecdsa Oct 06 '17 at 13:43
  • @ecdsa I have excuted `iptables -t nat -A POSTROUTING -s 192.168.3.1/24 -m policy --dir out --pol ipsec -j ACCEPT iptables -t nat -A POSTROUTING -s 192.168.3.1/24 -j MASQUERADE iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT` The problem is still there. – Qijun Tan Oct 06 '17 at 14:01
  • @ecdsa I don't know if it is relavent. I have tried disabling firewalld and selinux. The vpn still cannot work. – Qijun Tan Oct 06 '17 at 14:13

0 Answers0